Changed in version 2.0: Previous versions of CKAN used a different authorization system.

CKAN’s authorization system controls which users are allowed to carry out which
actions on the site. All actions that users can carry out on a CKAN site are
controlled by the authorization system. For example, the authorization system
controls who can register new user accounts, delete user accounts, or create,
edit and delete datasets, groups and organizations.

Authorization in CKAN can be controlled in three ways:

Organizations

Configuration file options

Extensions

The following sections explain each of the three methods in turn.

Note

An organization admin in CKAN is an administrator of a particular
organization within the site, with control over that organization and its
members and datasets. A sysadmin is an administrator of the site itself.
Sysadmins can always do everything, including adding, editing and deleting
datasets, organizations and groups, regardless of the organization roles and
configuration options described below.

Organizations are the primary way to control who can see, create and update
datasets in CKAN. Each dataset can belong to a single organization, and each
organization controls access to its datasets.

Datasets can be marked as public or private. Public datasets are visible to
everyone. Private datasets can only be seen by logged-in users who are members
of the dataset’s organization. Private datasets are not shown in general
dataset searches but are shown in dataset searches within the organization.

When a user joins an organization, an organization admin gives them one of
three roles: member, editor or admin.

An organization admin can:

View the organization’s private datasets

Add new datasets to the organization

Edit or delete any of the organization’s datasets

Make datasets public or private.

Add users to the organization, and choose whether to make the new user a
member, editor or admin

Change the role of any user in the organization, including other admin users

Allow users who are not members of any organization to create datasets,
default: true. create_unowned_dataset must also be True, otherwise
setting create_dataset_if_not_in_organization to True is meaningless.

Makes role permissions apply to all the groups down the hierarchy from the groups that the role is applied to.

e.g. a particular user has the ‘admin’ role for group ‘Department of Health’. If you set the value of this option to ‘admin’ then the user will automatically have the same admin permissions for the child groups of ‘Department of Health’ such as ‘Cancer Research’ (and its children too and so on).

CKAN extensions can implement custom authorization rules by overriding the
authorization functions that CKAN uses. This is done by implementing the
IAuthFunctions plugin interface.

Dataset visibility is determined by permission labels stored in the
search index.
Implement the IPermissionLabels
plugin interface then rebuild your search index
to change your dataset visibility rules. There is no
no need to override the package_show auth function, it will inherit
these changes automatically.